Medical Devices Are The Weak Link

Uploaded on 2016-12-01 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Health & Welfare

For many users of Johnson & Johnson’s OneTouch Ping insulin pump, the benefit of ease of use has been outweighed by the fear of hacking.

In early October, the company sent letters to patients using the devices, alerting them to the fact that the OneTouch contained a cybersecurity flaw that could allow a hacker to reprogram the device to administer additional doses of the diabetes drug, which could be life-threatening.

In its letter to patients, Johnson & Johnson portrayed the risk as minimal. “The probability of unauthorized access to the OneTouch Ping System is extremely low,” it noted. “It would require technical expertise, sophisticated equipment and proximity to the pump.”

A spokesman for the company says it’s working to eliminate the vulnerability; it has laid out a series of steps patients can take to reduce the risk, such as turning off the pump’s wireless connection to a blood-sugar meter, or setting a limit on the amount of insulin that can be delivered.

The announcement is yet another stark reminder of known security issues that exist with medical devices, widely used by both providers and patients. Indeed, this is not the first time concerns have surfaced about the ease of hacking medical devices.

In mid-2015, the Food and Drug Administration took the unprecedented step of alerting users about cybersecurity vulnerabilities of the Hospira Symbiq Infusion System. The agency strongly encouraged healthcare facilities to discontinue use of the pumps.

And the FDA is not the only federal agency shining a spotlight on the vulnerabilities of medical devices. In 2014, the Federal Bureau of Investigation issued a report that predicted hackers could assail medical devices, and followed that up with an alert last year warning companies and the public about cybersecurity risks to networked medical devices and wearable sensors.

The threat to patient safety carries the biggest shock value, and healthcare organizations are widely concerned about those risks.

But the devices also pose risks to the networks of healthcare organizations, because they typically have weak defenses against malware and a medical device could serve as an easy entry point to providers’ internal data networks.

Security experts and federal officials say the devices could become the focal point of a perfect storm for compromising healthcare data security and placing patient safety at risk. That’s because the vulnerability of devices to cyber-attacks is well known, and hackers are becoming emboldened to find new ways to attack healthcare organizations.

Most security professionals are worried about the vulnerability of a myriad of networked medical devices that have Internet connectivity, from infusion pumps and X-ray scanners to picture archiving and communications systems, blood gas analyzers, medical imaging devices, medical lasers, life support equipment and many more.

These devices are expensive and last a long time, and providers may have them in place for five, 10 or 15 years or more, says Axel Wirth, healthcare solutions architect for Symantec. Software running the devices may be years old as well, and typically not easily protected by cyber defense software. 

What’s more, in many cases the devices are managed just by the manufacturer’s technicians, not a provider’s IT security staff.

Information Management:                  Medical Devices Vulnerable to Hackers:
 

« UK National Cyber Security College Locates To Bletchley Park
War In The Information Age »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Tanium

Tanium

Tanium delivers Autonomous Endpoint Management (AEM) with the industry’s only true real-time platform for AI.

Digital Defense Inc (DDI)

Digital Defense Inc (DDI)

DDI offers vulnerability scanning, penetration testing, web application testing, social engineering and additional security assessments.

KLC Consulting

KLC Consulting

KLC Consulting offers information assurance / Security, IT Audit, and Information Technology products and services to government and Fortune 1000 companies.

ISARA Corp

ISARA Corp

ISARA Corporation is a security solutions company specializing in creating class-defining quantum-safe cryptography for today's computing ecosystems.

Tata Consultancy Services (TCS)

Tata Consultancy Services (TCS)

Tata Consultancy Services is a global leader in IT services, consulting & business solutions including cyber security.

NSIT

NSIT

NSIT SAS is a consulting, advisory and service provider in IT systems. Solution areas include networking & infrastructure, IT management & administration, and cyber security.

CyPhyCon

CyPhyCon

CyPhyCon is an annual event exploring threats and solutions to cyber attacks on cyber-physical systems such as industrial control systems, Internet of Things and Industrial Internet of Things.

Greylock Partners

Greylock Partners

Greylock Partners is a leading venture capital firm based in Silicon Valley. We invest in all sectors of enterprise software technology including applications, cloud/SaaS, networking and security.

SecAlliance

SecAlliance

SecAlliance is a cyber threat intelligence product and services company.

Artifice Security

Artifice Security

Artifice Security will demonstrate real-world attacks on your network, web applications, infrastructure, and personnel to expose your hidden security risks.

White Tuque

White Tuque

A new way to protect your organization. White Tuque is your partner in identifying threats, understanding your risk, and ensuring your business remains resilient.

endpointX

endpointX

endpointX is a preventative cyber security company. We help companies minimize their risk of breach by improving cyber hygiene.

Confidencial

Confidencial

Confidencial is a provider of solutions that help organizations secure their most sensitive information, regardless if that information exists inside or is shared outside the organization.

Evolver

Evolver

Evolver delivers technology services and solutions that improve security, promote innovation, and maximize operational efficiency in support of government and commercial customers.

American Binary

American Binary

American Binary is a Quantum Safe Networking (TM) and post-quantum encryption company.

DuckDuckGoose

DuckDuckGoose

DuckDuckGoose offer advanced solutions to protect against manipulated videos, images, voices and texts.